Cynos malware from AppGallery infiltrated at least 9.3 million Android devices

Doctor Web experts have detected Cynos malware (Android.Cynos.7.origin) in the official app store for Huawei devices, AppGallery. In total, Cynos-infected applications (usually games) were installed more than 9.3 million times.

The researchers write that Android.Cynos.7.origin is one of the modifications of the Cynos software module, which is designed to be embedded in Android applications in order to monetize them.

This platform has been known since at least 2014. Some of its versions have rather aggressive functionality: they send SMS messages to premium numbers and intercept incoming SMS, download and launch various modules, and download and install other applications.

In the new version found in AppGallery, the main functions are collecting information about users and their mobile devices, as well as displaying ads.

Cynos was found in 190 games featured in the AppGallery catalog. Among them are various simulators, platformers, arcades, strategies and shooters with the number of installations from several thousand to several million. In total, they were downloaded by at least 9,300,000 users (the number of installations was calculated based on the download values for each application published in AppGallery).

Some of the games targeted Russian-speaking audience, had localized Russian-language titles and descriptions. Others targeted a Chinese or international audience.

In order for the Trojan to gain access to certain data, when infected applications are launched, Trojan asks users for permission to control phone calls.

If the necessary rights are obtained, the Trojan collects and transmits the following information to the remote server:

  1. user’s mobile phone number;
  2. device location, which is determined based on GPS coordinates or data from a mobile network and a Wi-Fi access point (if the application has permission to access location determination);
  3. various parameters of the mobile network, such as network code, mobile country code, and if you have permission to access the location, the ID of the base station and the international ID of the location area;
  4. various technical characteristics of the device;
  5. various parameters from the metadata of the application into which the trojan is embedded.

Although the leakage of information about a mobile number may seem at first glance to be a minor problem, experts write that in reality it can lead to serious negative consequences for users, especially given the fact that children were the main target audience of infected applications.

Even if the phone number is listed as an adult, the fact of downloading a children’s game may very likely indicate that the child is actually using the phone. It is very doubtful that the parents will want to transfer the above data about the child’s phone not only to unknown foreign servers, but to anyone overall.the experts say.
Doctor Web’s specialists have already notified Huawei about the identified threats, and at the moment currently all infected applications have been removed from AppGallery.

As a reminder, we also wrote about SharkBot Android Trojan Steals Cryptocurrency and Hacks Bank Accounts.

Helga Smith

I was always interested in computer sciences, especially data security and the theme, which is called nowadays "data science", since my early teens. Before coming into the Virus Removal team as Editor-in-chief, I worked as a cybersecurity expert in several companies, including one of Amazon's contractors. Another experience: I have got is teaching in Arden and Reading universities.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button